b'                                   OIG Audit Report No. 08-05 \n\n\n\n\n\nAUDIT OF NARA\'S COMPLIANCE WITH THE \n\n  FEDERAL INFORMATION SECURITY \n\n    MANAGEMENT ACT FOR FY 2007 \n\n\n          OIG Report No. 08-05 \n\n\n             March 20, 2008 \n\n\x0c                                                                                         OIG Audit Report No. 08-05\n\n\n  AUDIT OF NARA\'S COMPLIANCE WITH THE FEDERAL INFORMATION \n\n              SECURITY MANAGEMENT ACT FOR 2007 \n\n\n                                           TABLE OF CONTENTS \n\n\nCHAPTER                                                                                                           PAGE\n\nEXECUTIVE SUMMARY ................................................................................................. 1 \n\n\nINTRODUCTION ...............................................................................................................4 \n\n\nCOMPUTER SECURITY INCIDENT RESPONSE CAPABILITY. .................................6 \n\n\nNARA CERTIFICATION AND ACCREDITATION PROCESS ................................... 17 \n\n\nCONTINGENCY PLANNINGIDISASTER RECOVER ................................................ .25 \n\n\nPROGRAM-LEVEL PLAN OF ACTION AND MILESTONES PROCESS ................. .30 \n\n\nSECURITY AWARENESS TRAINING FOR INDIVIDUALS WITH SIGNIFICANT \n\nSECURITY RESPONSIBILITIES ................................................................................... .32 \n\n\nPRIVACY PROGRAM ............ ~ ........................................................................................34 \n\n\nAPPENDIX A. IT SYSTEMS REVIEWED AND RESULTS OF THE REVIEW ........ .36 \n\n\n\n\n\n                                                      Page i \n\n                                   National Archives and Records Administration\n\x0c                                                                     OIG Audit Report No. 08-05\n\n\nEXECUTIVE SUMMARY\n\nInfonnation and the systems that process it are among the most valuable assets of any\norganization. Adequate security of these assets is a fundamental management\nresponsibility. The Federal Infonnation Security Management Act (FISMA) sets forth a\ncomprehensive framework for ensuring the effectiveness of security controls over\ninfonnation resources supporting federal operations and assets.\n\nFISMA requires the head of each agency to: (a) provide infonnation security\ncommensurate with the risk and magnitude of the hann resulting from unauthorized\naccess, use, disclosure, disruption, modification, or destruction of infonnation collected\nor maintained by or on behalf of the agency; and infonnation systems used or operated by\nan agency or by a contractor of an agency or other organization on behalf of an agency;\nand (b) ensure senior agency officials provide infonnation security for the infonnation\nand infonnation systems supporting the operations and assets under their control.\nFurthennore, FISMA requires the Office of Inspector General (OIG) to annually evaluate\nthe agency\'s infonnation security program and report to OMB.\n\nAs part of the annual FISMA review we conducted an audit this year instead oian\nevaluation. We assessed the adequacy of controls over infonnation security and\ncompliance with infonnation security policies, procedures, standards, and guidelines.\nSpecifically, we detennined the effectiveness of the NARA infonnation security program\nby testing the infonnation security policies, procedures, and practices over a\nrepresentative sample of the agency\'s systems.\n\nSome of the weaknesses we identified in our audit have been identified in previous\nFISMA evaluations and in Audit Report 06-09 "Review ofNARA\'s Infonnation Security\nProgram," July 31, 2006. We continued to find significant weaknesses that can be\nattributed to deficiencies in the design and operation of internal controls within the Office\nofInfonnation Services (NH). Due to the significance of these weaknesses NARA\ncannot be assured its systems and data are adequately secured. As a result, infonnation\ntechnology (IT) security is a material weakness within NARA.\n\nSpecific weaknesses identified this year include:\n\n   a) \t Incident detection, reporting, and response capabilities at NARA were not\n        adequate to ensure incidents were detected quickly, fully investigated and\n        resolved, and reported to appropriate officials, ifneeded. In addition, NH\n        officials did not follow documented procedures and did not test their incident\n        handling and response procedures during the year. Without adequate incident\n        handling capabilities, NARA cannot rapidly detect computer-security related\n        incidents, minimize loss and destruction, mitigate exploited weaknesses, and\n        quickly restore computing services.\n\n   b) \t IT systems were not appropriately certified and accredited for operation. \n\n        Specifically, NH officials did not properly complete many of the detailed \n\n        activities required for certification and accreditation. Without a proper \n\n\n                                             Page 1\n                          National Archives and Records Administration\n\x0c                                                                                 OIG Audit Report No. 08-05\n\n\n         certification and accreditation (C&A) of systems, NARA lacks assurance that its\n         systems and data are secure. In addition, certifying and accrediting officials may\n         not have had sufficient information to make timely, credible, risk-based decisions\n         on whether to authorize operation of those systems.\n\n    c) \t Ofthe 12 systems reviewed, 7 systems were identified as critical to NARA\'s\n         mission. However, a recovery strategy was not defined in the contingency plans\n         for these systems. Without a recovery strategy for its mission critical systems,\n         NARA does not have assurance critical systems can be recovered within\n         necessary time periods.\n\n    d) \t Standardized test procedures were used to test aspects of the contingency plans,\n         however, the tests did not actually test the feasibility of the plan or determine\n         whether effective communication would occur between contingency plan\n         participants. By not testing the contingency plans, NARA does not have\n         assurance the plans can be implemented quickly and effectively in the event of a\n         disaster.\n\n    e) \t NH officials did not establish a formal process to manage, prioritize, and track IT\n         security weaknesses identified in the NARA Information Security Program.\n         Specifically, the program-level plan of action and milestones l (POA&M) did not\n         include all IT security weaknesses and vulnerabilities known to management.\n         Without a complete POA&M, the ChiefInformation Officer (CIO) may not have\n         proper visibility of IT security weaknesses and can not use the POA&M as an\n         effective management tool to request and allocate resources for correcting IT\n         security weaknesses.\n\n    f) \t Only 35 of the 67 (52%) individuals with significant security responsibilities\n         completed the additional level of security awareness training and IT contractors\n         were not required to complete the additional training even though they have\n         significant security responsibilities over NARA IT assets and are IT security\n         professionals. The NARA Managers and Information System Security Officer\n         training course was intended for those individuals whose jobs involve significant\n         security responsibilities associated with the management or technical oversight of\n         NARA IT systems. The purpose of the course was to provide current information\n         about changes in IT security doctrine and reference policy and guidance affecting\n         IT security programs. Failure to ensure employees receive training at a level\n         associated with their responsibilities at NARA increases the risk of security\n         breaches resulting from employees who are not fully aware of their security roles\n         and responsibilities.\n\n\n\n\n1 A plan of action and milestones, also referred to as a corrective action plan, is a tool identifying tasks that\nneed to be accomplished. It details resources required to accomplish the elements of the plan, any\nmilestones in meeting the task, and scheduled completion dates for the milestones. The purpose of the\nPOA&M is to assist agencies in identifying, prioritizing, and monitoring the progress of corrective efforts\nfor security weaknesses found in programs and systems.\n\n                                                   Page 2\n                                National Archives and Records Administration\n\x0c                                                                              OIG Audit Report No. 08-05\n\n\n    g) \t Privacy Impact Assessments2 (PIAs) did not contain all the information required\n         by OMB 03-22 OMB Guidance for Implementing the Privacy Provisions ofthe E\xc2\xad\n         Government Act of2002, September 30, 2003. Information omitted related to\n         how the personally identifiable information in the system would be secured and\n         what choices were made as a result of performing the PIA. Without this\n         information the public, whose information may be stored in the system, does not\n         have assurance their information is being properly protected.\n\nIn addition, an internal program review 3 funded by NH during FY 2007 determined that\nNARA\'s information security policies lacked clearly defined responsibilities and actions\nand did not have a mechanism in place to monitor the policies and procedures.\nStrengthening management controls over the information security program by revising\npolicy and procedures and then enforcing compliance with the procedures will help to\nensure control weaknesses are corrected and NARA complies with applicable laws and\nregulations in the future.\n\nWe made 21 recommendations that, when implemented, will assist the agency in\nestablishing an information security program meeting FISMA and NIST requirements.\n\n\n\n\n2 A privacy impact assessment is a process for examining the risks and ramifications of using IT to collect, \n\nmaintain, and disseminate information in identifiable form from or about members of the public, and for \n\nidentifying and evaluating protections and alternative processes to mitigate the impact to privacy of \n\ncollecting such information. \n\n3 The Program Review for Information Security Management Assistance Report, October 30, 2007. \n\n\n\n                                                  Page 3\n                               National Archives and Records Administration\n\x0c                                                                    OIG Audit Report No. 08-05\n\n\n\n                                   INTRODUCTION\n\nBACKGROUND\n\nFISMA directs each Federal agency to develop, document and implement an agency\xc2\xad\nwide information security program to protect the information and information systems\nsupporting the operations and assets of the agency. According to FISMA, the head of\neach agency is responsible for providing information security protections commensurate\nwith the risk and magnitude of the harm resulting from unauthorized access, use,\ndisclosure, disruption, modification, or destruction of information collected or maintained\nby or on behalf of the agency; and information systems used or operated by an agency or\nby a contractor of an agency or other organization on behalf of an agency. In addition,\nthe head of each agency is responsible for ensuring senior agency officials provide\ninformation security for the information and information systems supporting the\noperations and assets under their control.\n\nFISMA directs the head of each agency to delegate to the agency CIO the authority to\nensure compliance with FISMA requirements including: (a) developing and maintaining\nan agency-wide information security program; (b) developing and maintaining\ninformation security policies, procedures, and control techniques to address all applicable\nrequirements; (c) training and overseeing personnel with significant responsibilities for\ninformation security; and (d) assisting senior agency officials concerning their\nresponsibility to provide information security.\n\nNARA Directive 101, Part 3 "Office oflnformation Services," September 30, 2007,\nappoints the Assistant Archivist of Information Services as the NARA Chieflnformation\nOfficer (CIO). The CIO is responsible for leading the NARA-wide information\ntechnology (IT) program to carry out the provisions ofthe Information Technology\nManagement Reform Act of 1996 and the E-Government Act of2002. The CIO also\nensures the NARA IT program conforms to all NARA and Federal standards, policies,\nand guidelines for interconnectivity and interoperability, computer system efficiency, and\ncomputer security.\n\nIn accordance with Office of Management and Budget (OMB) Circular A-130,\nAppendix III, Security ofFederal Automated Information Resources, agencies are\nrequired to establish controls to assure adequate security for all information processed,\ntransmitted, or stored in Federal automated information systems. "Adequate security"\nmeans security commensurate with the risk and magnitUde of the harm resulting from the\nloss, misuse, or unauthorized access to, or modification of, information. This includes\nassuring that systems and applications used by the agency operate effectively and provide\nappropriate confidentiality, integrity, and availability, through the use of cost-effective\nmanagement, personnel, operational, and technical controls.\n\n\n\n\n                                            Page 4\n                         National Archives and Records Administration\n\x0c                                                                        OIG Audit Report No. 08-0S\n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nThe overall objective of the audit was to assess the adequacy of controls over information\nsecurity and compliance with information security policies, procedures, standards, and\nguidelines. Specifically, we determined the effectiveness of the NARA information\nsecurity program by testing the information security policies, procedures, and practices\nover a representative sample of the agency\'s systems.\n\nThe audit was conducted at Archives II in College Park, MD with the Office of\nInformation Services (NH) and the Office of General Counsel (NGC).\n\nTo accomplish our objective, we reviewed Public Law 107-347, the Federal Information\nSecurity Management Act of 2002, OMB Circular A-130, NIST standards and guidance\nas well as OMB policy memoranda. We interviewed NH and NGC officials and\nreviewed documentation provided by those offices to determine whether NARA has\nadequate controls to ensure compliance with FISMA and other Federal policy\nrequirements. Specifically, we obtained an inventory of information systems from the\nCIO and selected a representative judgmental sample to review. For the 12 systems\nselected as part of the sample, we obtained and reviewed: certification and accreditation\ndocuments; contingency plans; documentation of tests of security controls performed;\nrisk and/or threat assessments; system security plans, Plan of Action and Milestones; and\nany additional documentation needed to answer the audit objective. In addition, we\nobtained and reviewed the privacy impact assessments to determine whether all\ninformation required by OMB 03-22 was included.\nThis performance audit was conducted in accordance with generally accepted\ngovernment auditing standards (GAGAS) between June 2007 and January 2008. These\nstandards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objectives. We believe that the evidence obtained provides a reasonable basis for\nour findings and conclusions based on our audit objectives.\n\n\n\n\n                                            Page 5\n                         National Archives and Records Administration\n\x0c                                                                            OIG Audit Report No. 08-05\n\n\n\n          COMPUTER SECURITY INCIDENT RESPONSE CAPABILITY \n\n\nFISMA requires each agency to implement an information security program that includes\nprocedures for detecting, reporting, and responding to security incidents. Security\nincidents4 , whether caused by viruses, hackers, or software bugs, are becoming more\ncommon. When faced with a security incident, an agency should be able to respond in a\nmanner that both protects its own information and helps to protect the information of\nothers that might be affected by the incident. To address this concern, agencies should\nestablish formal incident response mechanisms.\n\nAccording to NIST SP 800-61 Computer Security Incident Handling Guide, January\n2004, computer security incident response has become an important component of\ninformation technology (IT) programs. Security-related threats are not only more\nnumerous and diverse but also more damaging and disruptive. New types of security\xc2\xad\nrelated incidents emerge frequently. Preventative activities can lower the number of\nincidents, but not all incidents can be prevented. An incident response capability is\ntherefore necessary for rapidly detecting incidents, minimizing loss and destruction,\nmitigating exploited weaknesses, and restoring computing services. \'\n\nNH established a computer security incident handling and response capability, the stated\npurpose of which was to ensure computer security incidents are identified, reported, and\ncorrected as effectively and quickly as possible. This process, as described in NARA\'s\nComputer Security Incident Handling Guide, is designed to detect and respond to\ncomputer security incidents as they occur, to assist in preventing future incidents from\noccurring, to develop necessary response mechanisms to deal with incidents, to support\nIT security controls, and to implement appropriate response procedures. The guide\nprovides guidelines for incident handling, particularly for analyzing incident-related data\nand determining the appropriate response to each incident.\n\nNARA\'s incident handling and response capability is outsourced to two different\ncontractor groups. Contractors for NHI (Security) are responsible for monitoring the\nintrusion detection system5 (IDS) and creating trouble tickets for events identified by the\nIDS. Separate NHT (Operations) contractors are responsible for responding to the\ntrouble tickets and investigating security events. A government employee was designated\nas the NARA Computer Incident Response Team (CIRT) Team Lead and directed the\noperations of the two contractor groups. The Team Lead was also responsible for the\nactual conduct of the incident response process and reporting incidents to the US\nComputer Emergency Readiness Team (US CERT)6.\n\n\n4 According to NIST SP 800-61, a computer security incident is a violation or imminent threat of violation\nof computer security policies, acceptable use policies, or standard computer security practices.\n5 An intrusion detection system is software that looks for suspicious activity and alerts administrators.\n6 US CERT is a partnership between the Department of Homeland Security and the public and private\nsectors. Established in 2003 to protect the nation\'s internet infrastructure, US CERT coordinates defense\nagainst and responses to cyber attacks across the nation. The organization interacts with federal agencies,\nstate and local governments, industry professionals, and others to improve information sharing and incident\nresponse coordination and to reduce cyber threats and vulnerabilities.\n\n                                                 Page 6\n                              National Archives and Records Administration\n\x0c                                                                           OIG Audit Report No. 08-05\n\n\nContinuous Monitoring of the IDS did not Exist\n\nContinuous monitoring of the IDS did not exist during the workday to rapidly detect and\nrespond to incidents. NH officials accepted the risk presented by a lack of 24 hourn day\nincident response however, NH officials were not aware the IDS was not continuously .\nmonitored during the workday. According to NIST SP 800-61, the longer an incident\nremains undetected, the greater the potential for damage and loss. Without continuous\nmonitoring of the IDS, the response team would not be notified to begin their\ninvestigation until hours or in the case of weekends, days, after an event had occurred.\n\nAlthough the CIRT Team Lead believed the IDS was continuously monitored during the\nworkday, the IDS analyst ran only one report per day at 9:00 am compiling all the events\ndetected from the previous 24 hours. In one example,the NARA Intrusion Detection\nReport for October 31, 2007, found five incidents ofpotentially malicious activity. Two\nof the incidents occurred the previous day, October 30, 2007, at 11 :34 am however,\nbecause the events occurred after 9:00 am on October 30th , these events were not reported\nor investigated until 24 hours later.\n\nAccording to NIST SP 800-61, larger organizations as well as smaller ones supporting\ncritical infrastructures, usually need incident response staff to be available 2417. This\ntypically means incident handlers can be contacted by phone or pager, but it can also\nmean an onsite presence is required at all times. Real-time availability is the best for\nincident response because the longer an incident lasts, the more potential there is for\ndamage and loss.\n\nNH officials stated continuous monitoring of the IDS was in place --------------redacted,\nb(2)---------------------- and the Help Desk was staffed --------------redacted, b(2)-----------.\nTherefore, they believed the maximum amount of time an attack would go unnoticed was\n8 hours. ----------------------------------------redacted, b(2)---------------------------------------\xc2\xad\n----------------------------------------------------------------------------. According to an NH\nofficial, the risk presented by the lack of 24 hourl7 day incident response was an accepted\nrisk because NH does not have funding to support 24 hourn day incident response. The\nCIO added she would like to improve security but is constrained by the budget.\n\nAs a result of the audit, NH officials took action and directed the contractor to begin\nsubmitting multiple IDS reports per day. Starting in November 2007, the IDS analyst\nbegan monitoring the IDS during the day and issuing --------------------redacted, b(2)-----\xc2\xad\n--------------- to alert the CIRT team of new incidents discovered during the day. The IDS\nreports --------------redacted, b(2)-------------------------------. ----------------------------------\xc2\xad\n--------------------------redacted, b(2)----------------------------------------------------------------\xc2\xad\n\n\n\nRecommendation 1. The Assistant Archivist for Information Services should add the\nlack of 24 hourn day incident response to the program-level plan of action and\nmilestones and assess whether the risks presented require a reallocation of the IS security\nbudget.\n\n\n                                                Page 7\n                             National Archives and Records Administration\n\x0c                                                                     OIG Audit Report No. 08-05\n\n\nManagement Comment(s)\n\nThe Assistant Archivist for Information Services concurred with the recommendation.\n\n\n\n\nSecurity Events Were Not Always Fully Investigated\n\nIn reviewing security trouble tickets for events occurring between October 1, 2006 and\nNovember 1, 2007, we found several instances where security events identified by the\nIDS analyst were not fully investigated to determine whether an incident occurred. This\noccurred because NH officials did not monitor the contractor teams to ensure all events\nwere investigated. In addition, NH officials did not ensure the two contractor teams were\ncommunicating effectively. According to NIST SP 800-61, it is imperative that the most\nsuspicious activity is investigated. NIST SP 800-61 further states strong teamwork and\ncommunication are vital to effective incident handling. By not investigating events\nidentified, NARA is unsure whether attacks were successful and if so, the extent oftheir\nharm.\n\nFor example, the following three events were not investigated to determine whether an\nincident occurred:\n\n   (1) On June 8, 2007, the NARA Intrusion Detection Report contained a high alert\n   that a NARA system had accessed a potentially malicious website and should be\n   investigated to determine whether the system was compromised. Based on the\n   information provided by the IDS analyst, the NHT contractor was unable to\n   determine which NARA workstation was involved. The NHT contractor attempted to\n   follow-up with the IDS analyst to obtain additional information on the system\n   involved, however, further information was not provided. The NHT contractor\n   concluded that with the limited information, he was unable to investigate the issue\n   further and closed the ticket on June 8, 2007.\n\n   (2) On June 29, 2007, another high alert was reported in the NARA Intrusion\n   Detection Report. In this example, the NHT contractor was not able to investigate the\n   issue based on the information provided. According to the trouble ticket work log,\n   the NHT contractor spoke with the IDS analyst regarding the hick of information and\n   the IDS analyst agreed to do further research using the firewall log in order to track\n   down the actual system involved. However, the NHT contractor closed the ticket on\n   June 29, 2007, before further information could be obtained.\n\n    (3) On August 17,2007, the IDS identified an event classified as most likely\n    malicious in nature. The NHT contractor responding to the ticket stated there were\n    over 40 unique external IP addresses involved and asked for clarification. The NHT\n    contractor assigned the trouble ticket back to the IDS analyst and requested additional\n    information. As of November 28,2007 this ticket status is "Work in Progress"\n    meaning it has not been resolved or investigated.\n\n\n                                             Page 8\n                          National Archives and Records Administration\n\x0c                                                                        OIG Audit Report No. 08-05\n\n\nNH officials, including the CIRT Team Lead, did not monitor the two contractor teams to\nensure events were adequately investigated. Although the lack of information was\ncommunicated in the work log for the trouble tickets, NH officials did not request\nadditional action be taken to investigate the event before closing the trouble ticket. In\naddition, NH officials did not facilitate interaction among the two contractor teams to try\nand obtain the information needed. According to the NARA incident handling\nprocedures, the Information Security Officer is responsible for monitoring the resolution\nof all incidents, however, there was no evidence any monitoring took place.\n\nIn addition, NH officials did not ensure the two contractor teams were communicating\neffectively in the incident handling process. During the audit, we noted uncertainty by\nboth contractor teams as to whether the other had the knowledge and skills necessary to\nperform the job correctly. According to NIST SP 800-61, teamwork and communication\nare needed for effective incident handling therefore, doubt could adversely affect the\nability to work together as a team. The CIRT Team Lead needs to have an active role in\nfostering teamwork among the two contractor teams.\n\nRecommendation 2. The Assistant Archivist for Information Services should establish a\nprocess to review the Remedy trouble ticket work logs daily and communicate with the\nCIRT team, if needed, to ensure all events are fully investigated.\n\nManagement Comment(s)\n\nThe Assistant Archivist for Information Services concurred with the recommendation.\n\n\n\n\nIncident Response Procedures were not Tested\n\nNH officials did not perform testing to ensure the CIRT would function in the most\nefficient and effective manner possible. This occurred because NH officials believed\nresponding to real incidents in lieu of a test satisfied the requirement. NIST SP 800-61\nrecommends testing the incident response procedures so the incident response team can\npractice responding to large-scale incidents. By not testing the incident handling\nprocedures, NARA lacks assurance the incident handling capability is adequate to protect\nNARA\'s computer network and information systems against computer security-related\nincidents.\n\nAccording to NIST SP 800-61, organizations typically find it very challenging to\nmaintain situational awareness for the handling oflarge-scale incidents because of their\ncomplexity. Collecting, organizing, and analyzing all the pieces of information, so the\nright decisions can be made and executed, are not easy tasks. The key to maintaining\nsituational awareness is preparing to handle large-scale incidents, which should include\npracticing the handling of large-scale incidents through exercises and simulations on a\nregular basis. Such incidents happen rarely, so incident response teams often lack\nexperience in handling them effectively.\n\n\n                                            Page 9\n                         National Archives and Records Administration\n\x0c                                                                          OIG Audit Report No. 08-05\n\n\nThe CIRT Team Lead stated responding to real incidents in lieu of a test satisfied the\nNIST requirement. However, the CIRT Team was not convened in response to any\nincidents during the year. Therefore, NARA has no assurance the team will function in\nthe most efficient and effective manner possible to protect NARA\'s computer network\nand information systems against computer related incidents. Any problems associated\nwith NARA\'s incident response capability need to be detected and corrected before a\nreal, large-scale incident occurs.\n\nRecommendation 3. The Assistant Archivist for Information Services should conduct\ntesting of the incident response procedures involving both small and large scale security\nincident exercises and simulations to ensure the CIRT team functions efficiently and\neffectively and any problems can be identified.\n\nManagement Comment(s)\n\nThe Assistant Archivist for Information Services concurred with the recommendation.\n\n\n\n\nReporting of Computer Security Incidents was not Adequate\n\nNH officials did not report all security incidents that occurred between October 1, 2006\nand August 31, 2007, to US CERT as required. This occurred because NH officials\nrelied on the contractor to alert them of security incidents and did not conduct reviews of\nthe security trouble tickets opened. In addition, NH officials did not believe NARA had\nto follow the written procedures issued by US CERT. FISMA requires Federal agencies\nto report IT security incidents to the Federal Information Security Incident Center7 , a\ngovernment-wide incident response capability assisting Federal civilian agencies in their\nincident handling efforts, within the Department of Homeland Security. As a result,\nNARA is not in compliance with Federal law.\n\nWe identified nine computer security incidents that were not reported to US CERT.\nFurther, of the 15 incidents that were reported, only 4 (27%) were reported within the\nrequired timeframe.\n\n    a. At least nine incidents occurred during the year but were not reported to US\nCERT, as required. These incidents included one RootlUser Level intrusion, two\ninstances where malicious software was installed on NARA systems, five instances of\nimproper usage involving the violation of acceptable computer use policies, and one\nincident of an attempted access.\n\nNH officials relied on the contractors to alert them of important incidents and did not\nconduct reviews of the security trouble tickets opened. According to the CIRT Team\nLead, his review of the security trouble tickets was limited to only those incidents\n\n7 The Federal Information Security Incident Center is now referred to as the US Computer Emergency\nReadiness Team (US CERT).\n\n                                                Page 10\n                             National Archives and Records Administration\n\x0c                                                                         OIG Audit Report No. 08-05\n\n\nincluded in the daily Intrusion Detection Reports. However, by only reviewing tickets\nopened as a result of the IDS report, the CIRT Team Lead did not have visibility over\nincidents reported by the Field Operations System Administrators (FOSA) or incidents\nreported directly to the Help Desk by NARA users.\n\nIn one example, a FOSA identified a worm 8 that had copied itselfto the local hard drive\nof a system and mapped itself to the network drive. The security trouble ticket was\ncreated April 13, 2007, and based on the type of incident, should have been reported to\nUS CERT within one day. However, the CIRT Team Lead was not aware the trouble\nticket had been created, or that a worm had been discovered at one ofNARA\'s field sites\nuntil we identified the ticket during our audit. The CIRT Team Lead stated the FOSA\nshould have alerted him regarding the discovery. However, according to the CIRT Team\nLead, neither the FOSA nor the security contractor involved in investigating the incident\nnotified him.\n\n   b. Between October 1,2006, and September 4,2007, NARA reported 15 computer\nsecurity incidents to US CERT. In reviewing the 15 incidents reported, only 4 incidents\nwere reported within the required timeframe because NH officials did not believe NARA\nhad to follow the written procedures issued by US CERT. NH officials waited until\nAugust 27,2007, or later, to report 10 of the incidents (See Table 1).\n\n               Table 1. Review of Security Incidents Reported to US CERT\n\n                                                                   Timeframe          Submitted\n        Incident Category            Date        Date Reported\n                                                                   Required by          Within\n        Reported by NARA           Identified     to US CERT\n                                                                    US CERT          Timeframe?\n\n    1. CAT3 Malicious Logic        9/28/2006       11/7/2006           Daily              NO\n\n    2. CAT4 Improper Usage        11/16/2006       12/7/2006          Weekly              NO\n\n    3. CAT6 Investigation          unknown         3/20/2007            N/A              YES\n\n    4. CAT5 Attempted Access       4/30/2007       8/27/2007          Monthly             NO\n\n    5. CAT5 Attempted Access       5/16/2007       5/18/2007          Monthly            YES\n\n    6. CAT4 Improper Usage         5/17/2007       8/27/2007          Weekly              NO\n\n    7. CAT4 Improper Usage         5/22/2007       8/27/2007          Weekly              NO\n\n    8. CAT3 Malicious Logic         6/7/2007        6/7/2007           Daily             YES\n\n    9. CAT3 Malicious Logic         6/8/2007       8/27/2007           Daily              NO\n\n\n\n\n8A worm is a destructive program that may destroy data or use up tremendous computer or\ncommunications resources. Worms do not replicate like viruses. Instead, worms can run independently\nand travel from machine to machine across network connections by exploiting vulnerabilities and\napplication or system weaknesses.\n\n                                                Page 11\n                              National Archives and Records Administration\n\x0c                                                                        OIG Audit Report No. 08-0S\n\n\n\n                                                               Timeframe           Submitted\n     Incident Category          Date        Date Reported\n                                                               Required by           Within\n     Reported by NARA         Identified     to US CERT\n                                                                USCERT            Timeframe?\n\n 10. CAT5 Attempted\n                              6/12/2007       8/27/2007          Monthly              NO\n Access\n\n 11. CAT5 Attempted\n                              6/28/2007       8/27/2007          Monthly              NO\n Access\n\n 12. CAT5 Attempted\n                              6/29/2007       8/27/2007          Monthly              NO\n Access\n\n 13. CAT5 Attempted\n                              7/18/2007       8/27/2007          Monthly              NO\n Access\n\n 14. CAT5 Attempted\n                              7/20/2007       8/28/2007          Monthly              NO\n Access\n\n 15. CAT5 Attempted\n                              7/31/2007       8/27/2007          Monthly              YES\n Access\n\n\nAccording to NH officials, NARA\'s reporting processes and procedures were based off\nof verbal conversations with an individual at US CERT. One NH official stated actual\nincidents that US CERT would need to know about in a timely fashion would be reported\naccording to the established timeframes, but because NARA\'s incidents were all resolved\ninternally, NARA only had to report them by the end of year. This contradicts the written\nprocedures published by US CERT. US CERT issued written procedures regarding the\ntypes of incidents that should be reported and established timeframes for reporting\nincidents, however, the NH official believed the verbal direction outweighed the written\ninstructi ons.\n\nRecommendation 4. The Assistant Archivist for Information Services should establish a\nprocess to review all Remedy security trouble tickets opened and revise the incident\nhandling and Intrusion Detection System procedures to include the requirement that the\nCIRT Team Lead be notified if a high level incident is identified.\n\nManagement Comment(s)\n\nThe Assistant Archivist for Information Services concurred with the recommendation.\n\n\n\n\nPreventative Control Was Not Implemented\n\nA preventative control identified by NH officials in their FISMA response to OMB was\nnot actually in place. This occurred because NH officials did not monitor the contractor\nto ensure the contractor performed the specified activities. NIST SP 800-61 states\npreventative activities, such as ensuring systems, networks, and applications are\n\n                                           Page 12\n                         National Archives and Records Administration\n\x0c                                                                           OIG Audit Report No. 08-05\n\n\nsufficiently secure, can lower the number of incidents. In addition, the NARA Computer\nSecurity Incident Handling Guide states preventing problems is normally less costly and\nmore effective than reacting to them after they occur. By not ensuring preventative\ncontrols are in place, NARA may not be able to identify and fix system vulnerabilities\nbefore an attacker exploits the vulnerability.\n\nSpecifically, NH reported that as part oftheir testing and continuous monitoring process\nat least two production servers per week were audited, to include checks of the security\nconfigurations ofthose servers. However, when we requested the supporting\ndocumentation resulting from those audits, NH officials discovered the contractor did not\nperform the audits as required. Although the contractor had completed some audits, the\naudits were not conducted bi-weekly or on a regular basis. According to the\ndocumentation provided by NH, approximately 39 server audits were completed between\nJune 2006 and June 2007 instead of the 104 audits which should have been completed.\n\nIn addition, NH officials did not monitor the contractor to ensure recommendations\nresulting from the audits were mitigated. For example:\n\n  (a) An audit conducted on an ARC server in June 2006 found -----------------------------\xc2\xad\n-------------------------redacted, b(2)-----------------------------------------------------------------\xc2\xad\n\n\n\n\n  (b) An audit conducted on a MILRECS server on August 1, 2006, found ----------------\xc2\xad\n\n-------------------------------redacted, b(2)-----------------------------------------------------------\xc2\xad\n\n\n\n\n  (c) An audit conducted on a CMRS server on July 18, 2006, found -----------------------\xc2\xad\n\n-------------------------redacted, b(2)-----------------------------------------------------------------\xc2\xad\n\n\n\nAs of October 2007, the status of all three Change Request Tickets was "Work In\nProcess" indicating these weaknesses have not been corrected.\n\nNH officials did not adequately monitor the contractor to ensure the bi-weekly server\naudits were conducted and vulnerabilities identified were corrected. Specifically, the NH\nofficial assigned to monitor the contractor\'s performance was not aware of the\nrequirement for the contractor to perform bi-weekly server audits and did not believe it\nwas his responsibility to monitor that task because it related more to security than\noperations.\n\n\n\n                                                Page 13\n                              National Archives and Records Administration\n\x0c                                                                     OIG Audit Report No. 08-05\n\n\nRecommendation 5. The Assistant Archivist for Infonnation Services should designate\nan NH employee to receive the bi-weekly server audit results and to review the results to\nensure procedures are followed and security vulnerabilities are mitigated in a timely\nmanner.\n\nManagement Comment(s)\n\nThe Assistant Archivist for Infonnation Services concurred with the recommendation.\n\nRecommendation 6. The Assistant Archivist for Infonnation Services should conduct a\nreview of open Remedy tickets and direct the contractor, in writing, to address the\nvulnerabilities identified during the completed server audits.\n\nManagement Comment(s)\n\nThe Assistant Archivist for Infonnation Services concurred with the recommendation.\n\nRecommendation 7. The Assistant Archivist for Infonnation Services should add\nsecurity vulnerabilities identified during the server audits to the system\'s plan of action\nand milestones to ensure proper tracking and visibility.\n\nManagement Comment(s)\n\nThe Assistant Archivist for Infonnation Services concurred with the recommendations.\n\n\n\n\nPost-Incident Activities Were Not Conducted\n\nNH officials did not conduct post-incident activities in accordance with NIST and NARA\nguidance. Specifically, post-incident activities did not include holding "lessons learned"\nmeetings. This occurred because an NH official deleted this requirement from the\nincident handling procedures. NIST SP 800-61 recommends the use of lessons learned\nmeetings to evaluate the incident handling process and identify necessary improvements\nto security controls and practices. By not conducting post-incident activities, NARA is\nmissing a valuable opportunity to improve the incident handling process by identifying\nsecurity weaknesses and deficiencies in the policies and procedures.\n\nAccording to NIST SP 800-61, organizations should use the lessons learned process to\ngain value from incidents. After a major incident has been handled, the organization\nshould hold a lessons learned meeting to review how effective the incident handling\nprocess was, and identify necessary improvements to existing security controls and\npractices. Lessons learned meetings should also be held periodically for lesser incidents.\nThe infonnation accumulated from all lessons learned meetings should be used to\nidentify systemic security weaknesses and deficiencies in policies and procedures.\nFollow-up reports generated for each resolved incident can be important not only for\n\n\n\n                                            Page 14\n                          National Archives and Records Administration\n\x0c                                                                     OIG Audit Report No. 08-0S\n\n\nevidentiary purposes, but also for reference in handling future incidents and in training\nnew incident response team members.\n\nWe previously reported this finding in OIG Audit Report 06-09 "Review ofNARA\'s\nInformation Security Program," July 31, 2006. In that report, we recommended the\nAssistant Archivist for Information Services should require NARA IT security personnel\nto conduct post-incident activities in accordance with the guidance in NIST SP 800-61\nand the NARA Computer Security Incident Handling Guide, including (1) holding\n"lessons learned" meetings when a major incident occurs and periodically for lesser\nincidents, and (2) preparing "follow-up" incident reports. Management concurred with\nthe recommendation and agreed to take corrective action. However, the recommendation\nwas not implemented. Instead, one NH official made revisions to the NARA Computer\nSecurity Incident Handling Guide to remove the requirement for lessons learned\nmeetings.\n\nA previous version of the NARA Computer Security Incident Handling Guide required\npost incident activities be conducted after an incident was mitigated to determine how\neffective the incident handling process was and to identify necessary improvements to\nsecurity measures and the incident response process. An NH official, who was\nresponsible for the actual conduct of the incident response process, made revisions to the\nComputer Security Incident Handling and Response Guide. According to the Revision\nHistory Table, the changes made included updating the contact lists, adding the system\ninformation system security officer contact list, changing references from FedCIRC to\nUS-CERT and other editorial changes. However, we identified additional changes not\nrecorded in the revision table. One revision made was to delete the requirement for\nlessons learned meetings. According to the NH official, he revised the incident handling\nguide to remove requirements NH was not following such as the post incident activities.\nAllowing an NH employee to revise the procedures in order to remove requirements not\nbeing followed circumvents management controls and indicates additional controls are\nneeded in order to ensure compliance.\n\nRecommendation 8. The Assistant Archivist of Information Services should conduct\n"lessons learned" meetings in accordance with the guidance in NIST SP 800-61 when a\nmajor incident occurs and periodically for lesser incidents, and develop and implement a\ncontrol mechanism to verify compliance.\n\nManagement Comment(s)\n\nThe Assistant Archivist for Information Services concurred with the recommendation.\n\nRecommendation 9. The Assistant Archivist oflnformation Services should revise the\nNARA Computer Security Incident Handling Guide to include the requirement for IT\nsecurity personnel to conduct post-incident activities outlined in NIST SP 800-61.\n\nManagement Comment(s)\n\nThe Assistant Archivist for Information Services concurred with the recommendation.\n\n\n                                             Page 15\n                          National Archives and Records Administration\n\x0c                                                                        DIG Audit Report No. 08-05\n\n\nPertinent Information Missing from NARA Intrusion Detection Reports\n\nIDS reports issued by the IDS analyst to the incident response team did not identify the\ndate and time the event occurred. However, during a previous review ofNARA\'s\ninformation security program, this information had been included on the IDS reports.\nThe changes to the IDS report occurred because contractor staff changed during the year\nand the IDS Procedures did not require this information be included. Without the date\nand time the event occurred, reviews of security logs for details ofthe event would be\nextremely difficult if not impossible.\n\nThe date and time an event occurred is critical when determining which logs should be\nreviewed for details ofthe event. For example, the IDS Report dated Monday, April 9,\n2007, contained two high alert events. The IDS Report did not identify which date and at\nwhat times the events occurred, making the review of logs for details of the events\nextremely difficult, ifnot impossible.\n\nNH officials were not aware the date and time information had been removed from the\nIDS reports and took immediate action to begin including this information on future\nreports.\n\nRecommendation 10. The Assistant Archivist of Information Services should revise the\nIntrusion Detection System procedures to add a requirement for the date and time of the\nevent to be included in the daily Intrusion Detection Reports.\n\nManagement Comment(s)\n\nThe Assistant Archivist for Information Services concurred with the recommendation.\n\n\n\n\n                                            Page 16\n                         National Archives and Records Administration\n\x0c                                                                     OIG Audit Report No. 08-05\n\n\n\n           NARA CERTIFICATION AND ACCREDITATION PROCESS\n\nSecurity certification and accreditation (C&A) are important activities that support a risk\nmanagement process and are an integral part of an agency\'s information security\nprogram. According to NIST SP 800-37, Guide for the Security Certification and\nAccreditation ofFederal Information Systems, May 2004, security accreditation is the\nofficial management decision given by a senior agency official to authorize operation of\nan information system and to explicitly accept the risk to agency operations, agency\nassets, or individuals based on the implementation of the agreed-upon set of security\ncontrols. NIST SP 800-37 further states it is essential for agency officials to have the\nmost complete, accurate and trustworthy information possible on the security status of\ntheir information systems in order to make timely, credible, risk-based decisions on\nwhether to authorize operation of those systems. Although NIST SP 800-37 is a\nguidance document, OMB has mandated the use ofNIST SP 800-37 for system\ncertification and accreditation activities.\n\nOur review of the C&A process disclosed systems were not appropriately re-certified and\naccredited for operation. Specifically, NH officials did not complete many of the detailed\nactivities required by NIST SP 800-37. Without a proper C&A of systems, NARA lacks\nassurance its information systems and the data they contain are secure. See Appendix A\nfor detailed information regarding our review of systems in the sample.\n\nThe NARA IT Security C&A Methodology, version 4.6.1, September 14, 2007, states the\nassessment of risk and the development of System Security Plans are two important\nactivities in an agency\'s information security program directly supporting C&A and are\nrequired by FISMA and OMB Circular A-130, Appendix III.\n\nSystem Security Plans provide an overview of the information security requirements and\ndescribe the security controls that are either in place or planned to meet those\nrequirements. The system security plan also delineates responsibilities and expected\nbehavior of all individuals who access the system. The security plan should be viewed as\ndocumentation of the structured process of planning adequate, cost-effective security\nprotection for a system. It should reflect input from various managers with\nresponsibilities concerning the system, including information owners, the system owner,\nand the senior agency information security officer. Security plans are living documents\nrequiring periodic reviews, modifications, and milestone or completion dates for planned\ncontrols. Procedures should be in place outlining who reviews the plans and follows up\non planned controls.\n\nThe plan of action and milestones (POA&M) document is a key document in the security\naccreditation package and identifies: (a) tasks needing to be accomplished; (b) resources\nrequired to accomplish elements of the plan; (c) milestones in meeting the tasks; and (d)\nscheduled completion dates for the milestones. The POA&M describes the measures that\nhave been implemented or planned to correct any deficiencies noted during the\nassessment of the security controls, and to reduce or eliminate known vulnerabilities in\nthe information security.\n\n\n                                             Page 17\n                          National Archives and Records Administration\n\x0c                                                                               OIG Audit Report No. 08-05\n\n\nAfter a system has undergone certification and received approval to operate from the\nauthorizing official, the system enters a "continuous monitoring" phase. "Continuous\nmonitoring" provides oversight and monitoring of the security controls in the information\nsystem on an ongoing basis and informs the authorizing official when changes occur that\nmay impact the security of the system. OMB Circular A-130, Appendix III requires use\nof the system or application be re-authorized (re-certified and accredited) every three\nyears or whenever a significant change is made.\n\nSystem Categorizations were not Properly Assigned\n\nOverall, five systems did not have a system categorization9 matching the availability or\nconfidentiality requirements needed for the systems. This occurred because NH officials\nwere not aware IT systems were mentioned in the NARA Continuity of Operations Plan\n(COOP) and an NH official believed the confidentiality categorizations were appropriate\nbased on his knowledge of the systems. Federal Information Processing Standards\nPublication (FIPS) 199 requires agencies to categorize all information and information\nsystems based upon the need to provide appropriate levels of information security\naccording to a range of risk levels. As a result of not having the appropriate\ncategorization level, information in the systems may not be adequately protected.\n\nSpecifically, three systems were identified in the NARA COOP as critical to supporting\nNARA\'s mission, but had an availability rating of Low. Further, three systems identified\nas containing Personally Identifiable Information (PU) had a confidentiality rating of\nLow.\n\n  a. Three systems mentioned in the NARA COOP had an availability rating of Low: ---\xc2\xad\n-----------------------------------redacted, b(2 )-------------------------------------------------------\xc2\xad\n--------------------------------------------------------------------------------------. An availability\nclassification of Low means the disruption of access to or use of information or an\ninformation system could be expected to have a limited adverse effect on organizational\noperations, organizational assets, or individuals. However, because these systems are\ndesignated as essential in the NARA COOP, a disruption of access to use of the\ninformation would cause more than limited adverse effects on the organizational\noperation~. Further, one of those three systems,---b(2)---- had an overall FIPS 199 rating\nof "Low." The overall FIPS 199 rating determines the number of recommended\nminimum security controls for information systems. A "Low-impact" system requires\nfewer minimum security controls therefore, --redacted, b(2)------ may have less controls\nin place than the system warrants.\n\n  b. Three systems identified as containing Personally Identifiable Information had a\nconfidentiality rating of Low: --------------redacted, b(2)------------------------------- -------\xc2\xad\n\n9 NIST Federal Information Processing Standard (FIPS) 199 "Standards for Security Categorization of\nFederal Information and Information Systems," February 2004, established security categories for\ninformation and information systems. The categorization is based on the potential impact on an\norganization should certain events occur which jeopardize the information and information systems needed\nby the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities,\nmaintain its day-to-day functions, and protect individuals.\n\n                                                  Page 18\n                               National Archives and Records Administration\n\x0c                                                                      OIG Audit Report No. 08-05\n\n\n-----------------------redacted, b(2)-------------------------------. According to FISMA,\nconfidentiality relates to preserving authorized restrictions on access and disclosure,\nincluding means for protecting personal privacy and proprietary information. A loss of\nconfidentiality is the unauthorized disclosure of information. Because the systems\ncontain PH, the confidentiality level should be at least moderate.\n\nAccording to NH officials, the security categorizations for systems were decided by the\nsystem owners with assistance from NH however, NH officials were not aware the\nNARA COOP included individual systems because NH officials had not seen the latest\nversion of the COOP. In addition, an NH official stated two of the systems identified as\ncontaining PH did not, to his knowledge, contain PH therefore, he believed the\nconfidentiality categorization was appropriate.\n\nAppropriate system categorizations are important because the categorization level\ndetermines the number of baseline security controls required for the system. Therefore,\nby not having correct system categorizations, a system may have too many controls\nwhich would not be cost effective or, if a system was rated lower than it should be,\ninformation may not be adequately protected. NARA system owners and NH officials\nshould review the system categorizations for these five systems to determine whether the\ncategorization level is appropriate based on mission need and sensitivity of the data.\n\nRecommendation 11. The Assistant Archivist ofInformation Services, along with the\nsystem owners, should:\n\n        a. Re-evaluate the availability requirements for --------------redacted, b(2)---------\xc2\xad\n\n-----------------, and\n\n        b. Re-evaluate the confidentiality requirements for --------------redacted, b(2)-----\xc2\xad\n\n\n\nManagement Comment(s)\n\nThe Assistant Archivist for Information Services concurred with the recommendation.\n\n\n\n\nSystem Security Plans and System Plans of Action and Milestones were not\nComplete\n\nOf the 12 systems reviewed, 11 systems did not have a completed security plan, and the\nplan of action and milestones (POA&M) for 8 systems did not contain all the information\nrequired by OMB. This occurred because the CIO did not implement management\ncontrols to verify certification and accreditation activities were completed before\nauthorizing systems to operate. FISMA Section 3544(B) requires that agencies maintain\nsubordinate plans for providing adequate information security for networks, facilities,\n\n                                              Page 19\n                           National Archives and Records Administration\n\x0c                                                                                OIG Audit Report No. 08-05\n\n\ninfonnation systems, or groups of infonnation systems; as well as a process for planning,\nimplementing, evaluating, and documenting remedial action to address any deficiencies\nin infonnation security. As a result, NARA lacks assurance its systems and data are\nsecure. In addition, the CIO and ChiefInfonnation Security Officer (CISO) may not\nhave had sufficient infonnation to make timely, credible, risk-based decisions on whether\nto authorize operation of those systems.\n\n  a. Eleven ofthe 12 systems did not have completed security plans. Generally, the\nsystems had a portion of the infonnation required by NIST but not all. Specifically:\n\n    (1) Ten of the 12 plans reviewed did not contain security controls tied to NIST\nSP 800-53 or did not describe the controls in place or planned for meeting security\nrequirements. Federal agencies must meet the minimum security requirements defined in\nFIPS 200 through the use of the security controls in NIST SP 800-53, Recommended\nSecurity Controls for Federal Information Systems. The controls selected or planned\nmust be documented in a system security plan and tied to NIST SP 800-53.\n\n     (2) Nine of the 12 plans reviewed did not identify the overall FIPS 199 categorization\nfor the system or contained inconsistent infonnation within the plan regarding the\ncategorization level selected. FIPS 199 defines security categories for infonnation\nsystems based on potential impact on organizations, assets, or individuals should there be\na breach of security-that is, a loss of confidentiality, integrity, or availability. FIPS 199\nrequires agencies to select an overall security category for the infonnation system using a\nhigh watennark approach lO . Therefore, it is especially important for the overall FIPS 199\ncategorization to be included in the plan when there are various impact levels contained\nin one infonnation system.\n\n    (3) Five of the 12 plans reviewed did not adequately define the roles and\nresponsibilities for the system. According to NIST SP 800-18, a designated system\nowner must be identified in the security plan. In addition, an authorizing official and an\nindividual responsible for security of the system must be identified in the security plan\nfor each system.\n\n    (4) Five of the 12 plans reviewed did not contain the rules ofbehavior for the system.\nThe rules of behavior, which are required by OMB Circular A-130, Appendix III, and is a\nsecurity control contained in NIST SP 800-53, should clearly delineate responsibilities\nand expected behavior of all individuals with access to the system. The rules should state\nthe consequences of inconsistent behavior or noncompliance and be made available to\nevery user prior to receiving authorization for access to the system.\n\n  b. Ofthe 12 systems reviewed, 8 system POA&Ms did not contain infonnation\nneeded to track and correct security weaknesses identified in the systems. Specifically:\n\n\n\n10 The high watermark approach required by FIPS 199 is the maximum potential impact values for each\nsecurity objective (confidentiality, integrity, and availability) from the information type\'s resident on the\nsystem.\n\n                                                 Page 20\n                               National Archives and Records Administration\n\x0c                                                                             OIG.Audit Report No. 08-05\n\n\n    (1) Six of the 12 systems did not identify corrective actions to be taken to eliminate\nthe weakness\n\n    (2) Eight of the 12 systems did not provide an estimate of the resources required to\ntake the corrective action\n\n    (3) Six of the 12 systems did not identify the estimated completion dates for\neliminating the weaknesses. In addition, for two POA&Ms where completion dates were\nprovided, the dates had passed and the POA&M was not updated to either report the item\nas completed or revise the milestones.\n\n (4) Two of the 12 systems did not provide information about the status of corrective\nactions. We noted the status for all the weaknesses identified in seven of the POA&Ms\nwas "ongoing."\n\nAccording to GAO Standards for Internal Control in the Federal Government,\nNovember 1999, the organization\'s control environment provides discipline and structure\nas well as the climate which influences the quality of internal control. Agency\nmanagement plays a key role in providing leadership in this area, especially in providing\nguidance for proper behavior and removing temptations for unethical behavior.\nAccording to the CIO, she was aware the system security plans were not complete and\nbelieved that one reason why the plans were not complete was due to the strict deadline\nshe established for re-accreditation of the systems in order to get the systems removed\nfrom the OMB Watch-List.\n\nNH officials made the decision to not fully update the system security plans because it\nwould not be possible to complete the task within the deadline. Specifically, NH officials\ndeveloped a way to circumvent controls in the C&A process by completing only basic\nupdates to the security plans and then listing the incomplete security plan as a deficiency\nin the system POA&M. As a result, the system security plans were not updated and do\nnot contain the information required by NIST SP 800-18. In addition, NH typically\ndetermines the actions to be taken and the milestone dates for completion and inputs the\ninformation into the system POA&M however, due to resource constraints and pressure\nto complete the reaccreditations, this information had not been updated for all systems.\n\nAlthough the NARA C&A Methodology directs the information system owner to ensure\nthat the security plan is complete and that the plan contains enough detail to evaluate the\nsystem\'s security, NH officials did not hold the system owner accountable for the\nsecurity plan and did not review the C&A package to ensure that the system security plan\nor the POA&M was completed before the systems were re-certified and accredited.\n\nThe contractor responsible for the certification and accreditation packages originally\nrecommended interim authorization to operate 11 decisions for several NARA systems\n\nII According to NIST SP 800-37, an interim authorization to operate is rendered when the identified\nsecurity vulnerabilities in the information system resulting from deficiencies in the planned or implemented\nsecurity controls are significant but can be addressed in a timely manner. An interim authorization\nprovides a limited authorization to operate the information system and acknowledges greater risk to the\n\n                                                 Page 21\n                              National Archives and Records Administration\n\x0c                                                                             OIG Audit Report No. 08-05\n\n\nuntil the weaknesses identified in the POA&Ms were mitigated. This recommendation\nwas rejected by the Certifying Official and, without addressing the security weaknesses\nin the system POA&Ms, the Certifying Official had the contractor revise the certification\nstatements to recommend authorization to operate the systems. In addition, language\nrequiring weaknesses in the POA&M to be corrected within 180 days was removed from\nthe certification statements. We noted that based on the Certifying Official\'s direction,\nthe contractor recommended 11 systems be given authorization to operate. This decision\nmay not have been appropriate based on the vulnerabilities identified during the C&A\nprocess and the risks presented by those vulnerabilities.\n\nIn FY 2006 NH officials identified a reportable condition regarding documentation\nbecause of the incomplete C&A documentation. During interviews, NH officials\nindicated documentation produced had little impact on the quality of the C&A process or\ninformation security because the documents are not used once created. System\ndocumentation produced should provide valuable information as to the security controls\nin place for the system, and should be viewed as documentation ofthe structured process\nof planning adequate, cost-effective security protection for a system.\n\nRecommendation 12. The Assistant Archivist of Information Services should develop\nand implement management controls to monitor and enforce compliance with NIST SP\n800-37 and NARA C&A policy.\n\nManagement Comment(s)\n\nThe Assistant Archivist for Information Services concurred with the recommendation.\n\n\n\n\nLimited Assurance Exists over Security Control Testing\n\nBased on our review of the security test and evaluation results, evidence did not exist to\nverify the tests were actually performed to the extent detailed in the test plans. This\noccurred because NH officials did not have an adequate process in place to monitor the\ncontractor\'s performance. FISMA requires periodic testing and evaluation of the security\ncontrols in place for agency systems. Without adequate testing, NARA lacks assurance\nsecurity controls are in place and working as intended to protect its systems and data.\n\nNH officials used contractors to perform most of the security control testing this year.\nAccording to the test plan used, several tests required the tester to examine logs and\naccess lists, interview personnel, or verify security configurations. However, work\ndocumented in the test results did not detail the extent to which the contactor followed\nthe written test plan, and supporting documentation reviewed by the contractor during the\ntesting was not retained.\n\n\nagency for a specified period of time. When the security-related deficiencies have been adequately\naddressed, the interim authorization should be lifted and the information system authorized to operate.\n\n                                                 Page 22\n                              National Archives and Records Administration\n\x0c                                                                            OIG Audit Report No. 08-05\n\n\nNH officials did not have an adequate process in place to monitor the testing performed\nby contractors. Instead, NH officials required the contractor to record only their name,\nthe date the test was conducted, and whether the test passed or failed. According to an\nNH official, the contractor was not required to document work performed and NH\nofficials did not review any of the tests results to verify the accuracy of the tests. The\ninformation recorded in the test results does not provide assurance the test was conducted\nor the results of the testing can be relied upon.\n\nRecommendation 13. The Assistant Archivist ofInformation Services should develop a\nprocess to monitor the contractor\'s performance to verify testing was performed to the\nextent detailed in the test plans and review the security test and evaluation results to\nensure the results are reasonable.\n\nManagement Comment(s)\n\nThe Assistant Archivist for Information Services concurred with the recommendation.\n\n\n\n\nTwo National Security Systems were not Accredited\n\nTwo classified national security systems continued to operate even though the systems\nwere last accredited 12 in 1997. This occurred because NH officials did not take action to\nobtain an accreditation statement until 2006. The Director Central Intelligence Directive\n6-3 requires an accreditation decision be re-evaluated every three years or whenever any\nsecurity relevant change occurs. As a result, responsibility and accountability for the\nsecurity ofthe system has not been accepted.\n\nNH officials sent a memorandum to the accrediting authority at the Central Intelligence\nAgency (CIA) alerting the agency official the systems had not been re-accredited since\nthe original accreditation was received in 1997. According to NH officials, they tried to\nlocate the accrediting authority since 2001, but after September 11, 2001, CIA officials\nhad higher priorities than the re-accreditation ofNARA systems and it was not until\nrecently that contact was re-established with the accrediting authority.\n\nNARA continues to operate the systems even though the risks presented by the systems\nhave not been formally accepted.\n\nRecommendation 14. The Assistant Archivist of Information Services should develop\nand implement a mechanism to monitor system accreditations for NARA\'s National\nSecurity Systems to ensure the systems are re-certified and accredited at least every three\nyears.\n\n\n\n12 System accreditation is the official management decision to permit operation of an information system in\na specified environment at an acceptable level of risk based on the implementation of an approved set of\ntechnical, managerial, and procedural safeguards.\n\n                                                 Page 23\n                              National Archives and Records Administration\n\x0c                                                                   OIG Audit Report No. 08-05\n\n\n\nManagement Comment(s)\n\nThe Assistant Archivist for Information Services concurred with the recommendation.\n\n\n\n\n                                           Page 24\n                        National Archives and Records Administration\n\x0c                                                                     OIG Audit Report No. 08-05\n\n\n\n              CONTINGENCY PLANNING/DISASTER RECOVERY \n\n\nIT systems are vulnerable to a variety of disruptions, ranging from mild (e.g., short-term\npower outage, disk drive failure) to severe (e.g., equipment destruction, fire) from a\nvariety of sources such as natural disasters to terrorists actions. While many\nvulnerabilities may be minimized or eliminated through technical, management, or\noperational solutions as part ofthe organization\'s risk management effort, it is virtually\nimpossible to completely eliminate all risks. In many cases, critical resources may reside\noutside the organization\'s control (such as electric power or telecommunications), and the\norganization may be unable to ensure their availability. Thus effective contingency\nplanning, execution, and testing are essential to mitigate the risk of system and service\nunavailability.\n\nAccording to OMB Circular A-130, Management of Federal Information Resources,\nAppendix III, Security of Federal Information Resources, for major applications, Federal\nagencies should establish and periodically test the capability to perform the agency\nfunction supported by an application in the event of failure of its automated support.\n\nAccording to NIST SP 800-34, Contingency Planning Guide for Information Technology\nSystems, June 2002, IT and automated information systems are essential to an\norganization\'s success, therefore, it is critical the services provided by these systems are\nable to operate effectively without excessive interruption. Contingency planning\nsupports this requirement by establishing thorough plans and procedures and technical\nmeasures enabling a system to be recovered quickly and effectively following a service\ndisruption.\n\nRecovery Strategy for Restoring Mission Critical IT Systems is Inadequate\n\nOf the 12 systems reviewed, 7 systems were identified as critical to NARA\'s mission,\nhowever, a recovery strategy was not defined in the contingency plans for these systems.\nThis occurred because a business impact analysis had not been conducted to identify\ncritical NARA processes and NH officials did not believe there was any essential service\nor core business function of the agency that required restoration in any particular time\nperiod. According to NIST SP 800-34, the business impact analysis is a key step in the\ncontingency planning process and recovery strategies are developed based on the\ninformation obtained in the business impact analysis. By not having a defined recovery\nstrategy, NARA does not have assurance that critical NARA systems can be recovered\nwithin the time period needed.\n\nSpecifically, the contingency plans for six of the mission critical systems stated that the\nrecovery goal was to "revert to manual processing, if possible, and restore system\nfunctionality with vendor-supplied hardware as available." However, this strategy does\nnot provide recovery capability over the full spectrum of incidents because performing\nthe business process using manual means is typically acceptable for only short term\ndisruptions.\n\n\n\n                                            Page 25\n                          National Archives and Records Administration\n\x0c                                                                             DIG Audit Report No. 08-05\n\n\nAccording to NIST SP 800-34, a key step in the contingency planning process is the\nbusiness impact analysis. A business impact analysis correlates specific system\ncomponents with the critical services they provide, and based on that information,\ncharacterizes the consequences of a disruption to the system components. Conducting\nthis type of analysis requires input from the users and business process owners as well as\nother associated groups. The recovery strategy selected is based on the information\nidentified during the business impact analysis.\n\nAccording to an NH official, a business impact analysis may exist as a formal document\nfor some systems, but most of the contingency plans are based on an implied business\nimpact analysis done by the system owner when the security plan was written. That same\nNH official also acknowledged:\n\n       "The basic of assumption of almost all the contingency plans is based on the fact\n       that there is no essential service or core business function of the agency that\n       requires the restoration of the system in any particular time period, the exception\n       is NARANet, thus, there is no real need for a formal linkage between the\n       operational aspects of the current contingency plan and a business impact\n       analysis."\n\nHowever, multiple system owners identified their systems as critical to the functioning of\nNARA. Therefore, system owners and NH officials need to work together to determine\nappropriate recovery strategies.\n\nAlthough NH officials identified NARANet (NARA\'s general support system) as the\nonly essential system, a recovery strategy and recovery procedures did not exist for the\nsystem. NH officials provided an NH Disaster Recovery Plan dated July 30,2007, which\nstates as an underlying assumption that NH needs to provide IT services for NARA in the\nevent of a major disruption to its operational IT infrastructure and critical business\nprocess. However, the Disaster Recovery plan does not detail the procedures to be\nfollowed in order to facilitate the recovery of capabilities at an alternate site.\n\nFederal policy and guidance requires the development and maintenance of contingency\nplans to provide procedures and capabilities for recovering major applications or general\nsupport systems. Without a recovery strategy for its mission critical systems, NARA\ndoes not have a corrective control in place to restore IT operations quickly and effectively\nfollowing a service disruption.\n\nWe issued Management Letter 07-12, "Contingency Planning for IT Systems," on\nSeptember 20, 2007, to notify the Archivist regarding the significant risk to agency\noperations because adequate plans did not exist, and coordination among NARA Senior\nManagers had not been established, to ensure IT systems critical to NARA\'s mission\ncould be recovered quickly and effectively following a service disruption or disaster.\n\nRecommendation 15. The Archivist of the U.S. along with NARA Senior Management\nand Information Owners should:\n\n\n\n\n                                                Page 26\n                             National Archives and Records Administration\n\x0c                                                                            OIG Audit Report No. 08-05\n\n\n       a. Conduct a Business Impact Analysis following the instructions in NIST SP\n800-34 to identify NARA\'s critical business processes and the systems supporting those\nprocesses; and\n\n       b. Develop recovery strategies for at least those systems identified as critical\nbased on the outcome of the Business Impact Analysis.\n\nManagement Comment(s)\n\nThe Assistant Archivist for Information Services concurred with the recommendation.\n\n\n\n\nNo Record of Reviews of, or Changes to, Contingency Plans\n\nThe contingency plans for 11 ofthe 12 systems reviewed had not been updated since the\ninitial plans were created. This occurred because NH officials did not believe the\ncontingency plans needed to be updated or that it was their responsibility to update the\ncontingency plans. NIST SP 800-34 states that it is essential for the contingency plan to\nbe reviewed and updated regularly to ensure new information is documented and\ncontingency measures are revised if required. As a result, the contingency plans may\ncontain outdated information and may not accurately reflect system requirements.\n\nOf the 11 contingency plans reviewed 13, nine were dated 2004, and one was dated 2006.\nThe contingency plan for NARANet was the only plan dated 2007. There were no entries\nin the Record of Changes section in 10 of the 11 contingency plans to support that the\ncontingency plans were reviewed at least annually, as required by NIST guidance.\nAccording to NIST SP 800-34, the plan should be reviewed at least annually or whenever\nsignificant changes occur to any element of the plan.\n\nAccording to an NH official, the current system documentation was an accurate reflection\nof the "as is" state of system contingency planning. The CIO stated that ideally the\nsystem owner should be responsible for the contingency plan and should know what to do\nand be prepared if the system was unavailable for a few days because NH cannot ensure\nthat users for every system are prepared for a system failure. However, instead of\nholding the system owners accountable, another NH official directed the contractor who\noriginally wrote the contingency plans in 2004, to review and update the plans because\nthe NH official was fairly certain that in many of the plans, the system inventory and\npoints of contact would be out of date.\n\nRecommendation 16. The Assistant Archivist of Information Services should:\n\n       a. Revise the IT Security Policy to identify who is responsible for reviewing the\nsystem contingency plans and revising the plans to address changes or problems\nencountered during plan implementation, execution, or testing;\n\n13   There was one contingency plan prepared for the two classified AERIe systems.\n\n                                                  Page 27\n                               National Archives and Records Administration\n\x0c                                                                             OIG Audit Report No. 08-05\n\n\n       b. Implement management controls to verify contingency plans are reviewed and\nupdated at least annually as required by NIST SP 800-34; and\n\n      c. Update the contingency plans, if needed, and record any changes made in the\nRecord of Changes section of the plans.\n\nManagement Comment(s)\n\nThe Assistant Archivist for Information Services concurred with the recommendation.\n\n\n\n\nContingency Plans were not Adequately Tested\n\nTesting of the system contingency plans was not adequate and did not meet the intent of\nNIST guidance. Specifically, tabletop testing of the contingency plans for 1014 ofthe 12\nsystems reviewed did not evaluate the viability of the plan procedures, determine the\nability of recovery staff to implement the plan, or identify deficiencies in the plan. This\noccurred because NH officials believed testing the viability of the contingency plans was\noutside ofNH\'s responsibility. According to NIST SP 800-34, contingency plan testing\nis a critical element of a viable contingency capability. By not testing the viability of the\ncontingency plans, deficiencies within the plans cannot be identified and addressed, and\nNARA does not have assurance the plan can be implemented quickly and effectively in\nthe event of a disaster.\n\nContractor\'s used a standard test plan to perform the contingency plan testing. Although\nthe test plan included a section to test the manual or alternate procedures, the actual tests\nconducted did not test the manual or alternate procedures. For example, the test ofthe\ncontingency plan for --------------redacted, b(2)------------------------ consisted of re-typing\nthe contingency plan procedures in the test report and the system owner informing the\nindividual performing the test that the system does not have an alternate manual process.\nThe tabletop discussion held did not include a scenario or simulated incident to walk\nthrough how the system owner should react in certain situations. In addition, key\nparticipants 15 were not included in the tabletop discussion and roles, responsibilities and\nactions to be taken were not discussed.\n\nThe tests performed were limited because, according to NH officials, ensuring employees\nknow what to do if the systems they use are not available would be a business continuity\nfunction and not a contingency plan function. Therefore, NH officials believed testing\nthe viability of the contingency plan was outside ofNH\'s responsibility. Specifically,\none NH official stated the information system is a utility to assist employees in\nperforming their jobs and it is not NH\'s responsibility if the system owner is unable to\n\n\n14 The contingency plan for -------..,------redacted, b(2)--------------- had not been tested at the time of \n\n\nour review. \n\n15 Key participants identified in the contingency plans include a Contingency Plan Director, Contingency \n\nPlan Manager, Damage Assessment Team, and Contingency Plan Recovery Team. \n\n\n                                                 Page 28\n                              National Archives and Records Administration\n\x0c                                                                        OIG Audit Report No. 08-0S\n\n\nperform their mission without that system because that would be a continuity of\noperations plan function. A contingency plan differs from a continuity of operations plan\nbecause it provides the recovery and resumption procedures for an IT system, including\nprocedures for recovering a system resulting from minor disruptions that do not\nnecessarily require relocation to an alternate site.\n\nNIST SP 800-34 further states plan testing is a critical element of a viable contingency\ncapability because testing enables plan deficiencies to be identified and addressed.\nTesting also helps evaluate the ability of recovery staff to implement the plan quickly and\neffectively. Each IT contingency plan element should be tested to confirm the accuracy\nof the individual recovery procedures and the overall effectiveness of the plan. By not\ntesting the contingency plans, NARA has no assurance the plans will actually work and\nmay severely impact NARA\'s ability to recover its IT systems in the event of a disaster.\n\nRecommendation 17: The Assistant Archivist for Information Services, along with the\nsystem owners, should develop tests of the system contingency plans to evaluate the\nviability of the plan procedures and determine the ability of recovery staff to implement\nthe recovery strategy identified.\n\nManagement Comment(s)\n\nThe Assistant Archivist for Information Services concurred with the recommendation.\n\n\n\n\n                                            Page 29\n                         National Archives and Records Administration\n\x0c                                                                    OIG Audit Report No. 08-05\n\n\n\n    PROGRAM-LEVEL PLAN OF ACTION AND MILESTONES PROCESS\n\nThe program-level POA&M did not include all IT security weaknesses and\nvulnerabilities known to management. This occurred because NH officials did not\nestablish a formal process to manage, prioritize, and track IT security weaknesses\nidentified in the NARA Information Security Program. FISMA requires that federal\nagencies develop a process for planning, implementing, evaluating, and documenting\nremedial action to address any deficiencies in the information security policies,\nprocedures, and practices of the agency. Without a complete POA&M, the CIO may not\nhave proper visibility ofIT security weaknesses and can not use the POA&M as an\neffective management tool to request and allocate resources for correcting IT security\nweaknesses.\n\nFISMA requires that federal agencies develop a process for planning, implementing,\nevaluating, and documenting remedial action to address any deficiencies in the\ninformation security policies, procedures, and practices of the agency. OMB Memoranda\n02-01 and 04-25 provided instructions on how to implement a POA&M process and the\ninformation needed to report and track weaknesses identified. The purpose of the\nPOA&M is to help agencies in identifying, assessing, prioritizing, and monitoring the\nprogress of corrective efforts for security weaknesses found in programs and systems.\n\nAccording to NH officials, the program-level POA&M consisted of a Status of Audits\nand Evaluations spreadsheet maintained by NH and an Audit Action Summary database\nmaintained by NARA Policy and Planning Staff (NPOL). However, these tracking\nmechanisms related to open audit recommendations and did not focus on IT security\nweaknesses. In addition, the spreadsheet and database did not include all the information\nrequired by OMB such as prioritization of the weaknesses, funding needed to correct the\nweakness, or the severity of the weakness.\n\nIn addition to audits, IT security weaknesses can be identified through internal reviews\ndone by or on behalf of the agency such as annual security control testing and the C&A\nprocess. C&A testing conducted for NARA systems in FY 2007 identified systemic\nweaknesses within the NARA IT Security Program. However, an NH official stated he\nwas unsure where to report these weaknesses because he did not want to include the same\nweakness on each system POA&M. Instead, the NH official included the weaknesses on\nthe POA&M for the NARANet system. However, reporting the weaknesses on the\nNARANet system POA&M removed the CIO\'s visibility of the weaknesses because the\nCIO did not review system-level POA&Ms.\n\nIn addition to the systemic weaknesses, NH officials did not include all weaknesses\nidentified during the 2nd quarter 2007 vulnerability scan. According to NH officials, all\nof the vulnerabilities had been corrected; however, we found 84 Remedy tickets related to\nthe 2nd quarter 2007 vulnerability scan that had not been addressed.\n\nBased on interviews with NH and NPOL officials, there appeared to be a disconnect\nbetween the POA&M process required by OMB and what NARA officials believed the\nPOA&M process should be. NH officials believed all pertinent information was already\n\n                                            Page 30\n                         National Archives and Records Administration\n\x0c                                                                        OIG Audit Report No. 08-05\n\n\nincluded in the Status of Audits and Evaluations spreadsheet, therefore, they did not want\nto "create another document with no purpose."\n\nDuring the audit, NH officials revised their Status of Audits and Evaluations spreadsheet\nwith the intent of meeting the minimum OMB requirement for a program-level POA&M.\nOur review ofthe revised POA&M revealed that NH officials changed the format of the\nPOA&M but continued to omit IT security weaknesses known to management.\n\nThe Exhibit 300 "Capital Asset Plan and Business Case" for the NARA IT Infrastructure\nincluded an IT security investment request of $9.8 million for FY 2007 to maintain and\nimprove the level oflT security. The CIO\'s centralized security budget covered the\nexpenses for centralized monitoring and response, enterprise-wide security infrastructure\n(e.g. firewalls), training and awareness, and certification and accreditation activities.\nThis funding for IT security was provided without ensuring NH was making significant\nprogress in overcoming security weaknesses. By not utilizing the POA&M as a tool to\nassist the CIO in identifying, assessing, prioritizing, and monitoring the\nprogress of corrective efforts for security weaknesses found in programs\nand systems, the CIO may not be appropriately allocating funding.\n\nRecommendation 18. The Assistant Archivist for Information Services should develop\na plan of action and milestone process that provides visibility over all IT security\nweaknesses and issue written procedures regarding that process.\n\nManagement Comment(s)\n\nThe Assistant Archivist for Information Services concurred with the recommendation.\n\n\n\n\n                                            Page 31\n                         National Archives and Records Administration\n\x0c                                                                            OIG Audit Report No. 08-05\n\n\n            SECURITY AWARENESS TRAINING FOR INDIVIDUALS WITH \n\n                  SIGNIFICANT SECURITY RESPONSIBILITIES \n\n\nOnly 35 ofthe 67 (52%) individuals with significant security responsibilities 16 completed\nthe NARA Managers and Information System Security Officer (ISSO) training course\nand IT contractors were not required to complete the training even though they have\nsignificant security responsibilities. The purpose of this additional security awareness\ntraining was to provide current information about changes in IT security doctrine and\nreference policy and guidance affecting IT security programs. This occurred because NH\nofficials did not have a process to track which individuals at NARA had significant\nsecurity responsibilities and believed contractors met the training requirement based on\njob descriptions in the contracts. FISMA requires agencies to provide training to\nemployees and contractors to inform them of the risks associated with their activities and\ntheir responsibilities in complying with agency policies and procedures designed to\nreduce these risks. If employees do not receive training at a level associated with their\nresponsibilities, NARA risks security breaches resulting from employees who are not\nfully aware of their security roles and responsibilities.\n\nNARA Notice 2007-177 "Mandatory IT Security Training," May 21, 2007, stated there\nwere three types of training to select depending on your position and role within the\norganization. The notice required product owners, IT managers, and security\nprofessionals to take the "NARA Managers and Information System Security Officer"\ntraining course. According to an NH official, there was no clear definition of who\nconstituted "people with significant security responsibilities" therefore, the NH official\nconsidered only ISSOs (approximately14 employees) to need the additional training.\nFurther, the NH official stated NARA Notice 2007-177 was based on the notice from a\nprevious year and should not have included the requirement for NARA managers to take\nthe training in FY 2007.\n\nNH officials did not require IT contractors to complete the training even though the\ncontractors have significant security responsibilities over NARA IT assets and are IT\nsecurity professionals. For example, IT contractors at NARA have access to NARA\nservers and provide access to NARA systems. Therefore, these contractors have\nsignificant security responsibilities at NARA and should have been required to take the\nadditional training.\n\nAccording to the documentation provided by NH officials, over 250 individuals\ncompleted the "NARA Managers and Information System Security Officer" training\ncourse. However, NH officials identified only 67 individuals as required to take the\ntraining. An NH official stated the list was comprised of current system owners, IT\nmanagers, and IT security professionals, but that the course was not targeted towards\ncontractors.\n\nOMB Memorandum 07-19 contained questions and answers to assist agencies in\nanswering the FISMA reporting questions. One question asked "Is it the agency\'s\n\n16   The list of significant security personnel was provided by NH.\n\n                                                    Page 32\n                                 National Archives and Records Administration\n\x0c                                                                     OIG Audit Report No. 08-05\n\n\nresponsibility to ensure contractors have security training if they are hired to perfonn IT\nsecurity functions? Wouldn\'t they already be trained by their companies to perfonn this\nwork?" OMB responded "The agency should include in its contract the requirements for\nlevel of skill and experience. However, contractors must be trained on agency-specific\npolicies and procedures, including rules of behavior." The CISO used this response to\nexplain why NH contractors were not required to take the additional training course.\nAccording to the CISO, NlI contractors satisfy the training requirement because their job\ndescriptions prescribe the skills and experience needed to perfonn the job and the basic\nawareness course provided the agency-specific awareness and rules of behavior.\n\nThe purpose of the "NARA Managers and ISSOs" training course was to provide NARA\nIT system owners and managers, program and project managers, and persons providing\nIT security services with a source of current, up to date infonnation about changes in IT\nsecurity doctrine and reference links to policy and guidance affecting IT security\nprograms. According to the training course introduction, this course was particularly\ntargeted for those individuals whose jobs involve significant security responsibilities,\nassociated with the management or technical oversight ofNARA IT systems. Therefore,\nthis course should have been required for all NARA employees with significant security\nresponsibilities, including contractor employees.\n\nRecommendation 19. The Assistant Archivist oflnfonnation Services should develop a\nprocess to identify employees with significant security responsibilities.\n\nManagement Comment(s)\n\nThe Assistant Archivist for Infonnation Services concurred with the recommendation.\n\nRecommendation 20. The Assistant Archivist for Infonnation Services should require\nall individuals with significant security responsibilities, including contractor employees,\nto complete training based on the risk provided by their activities and develop a process\nto monitor compliance.\n\nManagement Comment(s)\n\nThe Assistant Archivist for Infonnation Services concurred with the recommendation.\n\n\n\n\n                                            Page 33\n                          National Archives and Records Administration\n\x0c                                                                     OIG Audit Report No. 08-05\n\n\n\n                                 PRIVACY PROGRAM \n\n\nPrivacy Impact Assessments (PIAs) did not include infonnation related to how personally\nidentifiable infonnation (PH) in the system would be secured and did not identify what\nchoices were made as a result of perfonning the PIA. This occurred because the PIA\ntemplate used did not contain a section for this infonnation and Privacy officials were not\naware these statements were required. OMB directed agencies to conduct PIAs and\nprovided specific instructions on the infonnation to be included. Without this\ninfonnation, the public, whose infonnation may be stored in the system, does not have\nassurance their infonnation is being properly protected.\n\nWe reviewed 10 PIAs and found the PIAs did not:\n   (a) affinn the agency is following IT security requirements and procedures;\n  (b) acknowledge the agency has conducted a risk assessment, identified security\ncontrols to protect the system, and implemented those controls;\n   (c) describe the monitoring, testing and evaluating to ensure controls continue to work\nproperly and safeguard infonnation;\n   (d) provide a point of contact for any additional questions from users; or\n   (e) identify what choices the agency made regarding an IT system or collection of\ninfonnation as a result of perfonning the PIA.\n\nOMB Memorandum 03-22, OMB Guidance for Implementing the Privacy Provisions of\nthe E-Government Act of2002, September 30, 2003, directs agencies to conduct reviews\nof how infonnation about individuals is handled within their agency when they use IT to\ncollect new infonnation, or when agencies develop or buy new IT systems to handle\ncollections of personally identifiable infonnation. OMB\'s Implementation Guidance for\nSection 208 of the E-Government Act requires agencies to conduct a privacy impact\nassessment for electronic infonnation systems and collections and, in general, make them\npublicly available. OMB 03-22 provides guidance on which systems require a PIA and\nthe specific infonnation that must be analyzed and described in the PIAs.\n\nA PIA was available on the Archives website for those systems identified as containing\nPH, however, the template used for the PIAs did not directly match to the OMB 03-22\nrequired contents. According to a privacy officer, the fonnat chosen was a collaborative\neffort between NH and NARA General Counsel Officials. The Privacy Official believed\nall the required infonnation was included and was not aware of the additional\nrequirements. Privacy officials received clarification from OMB regarding the content\nrequired and agreed to revise the PIAs to include this additional infonnation.\n\nRecommendation 21. The Senior Agency Official for Privacy, in coordination with the\nAssistant Archivist for Infonnation Services, should revise the existing Privacy Impact\nAssessments and the Privacy Impact Assessment template to incorporate infonnation\nrelated to how Personally Identifiable Infonnation in the system is secured and identify\nwhat choices were made as a result of perfonning the Privacy Impact Assessment.\n\n\n                                             Page 34\n                          National Archives and Records Administration\n\x0c                                                                   OIG Audit Report No. 08-05\n\n\nManagement Comment(s)\n\nThe Senior Agency Official for Privacy concurred with the recommendation.\n\n\n\n\n                                           Page 35\n                        National Archives and Records Administration\n\x0c                                                                   OIG Audit Report No. 08-05\n\n\n\n              APPENDIX A. IT SYSTEMS REVIEWED AND\n                        RESULTS OF THE REVIEW\n\n               Authorized    Complete                         Updated          Adequate\n                                             Complete\n  System           to        Security                        Contingency      Contingency\n                                             POA&M?\n                Operate?      Plan?                            Plan?           Plan Test?\n--redacted,\n                  Yes            No              No                No               No\nb(2)-\xc2\xad\n--redacted,\n                  Yes           Yes              No                No               No\nb(2)-\xc2\xad\n--redacted,\n                  Yes            No              No                No               No\nb(2)-\xc2\xad\n--redacted,\n                  No             No              Yes               No               No\nb(2)-\xc2\xad\n--redacted,\n                  Yes            No              No                No               No\nb(2)-\xc2\xad\n--redacted,\n                  Yes            No              Yes               No               No\nb(2)-\xc2\xad\n--redacted,\n                  Yes            No              No                No               No\nb(2)-\xc2\xad\n--redacted,\n                  Yes            No              Yes               No               No\nb(2)-\xc2\xad\n--redacted,\n                  Yes            No              No                No              N/A\nb(2)-\xc2\xad\n--redacted,\n                  Yes            No              No                No               No\nb(2)-\xc2\xad\n--redacted,\n                  Yes            No              Yes               Yes             Yes\nb(2)-\xc2\xad\n--redacted,\n                  Yes            No              No                No               No\nb(2)-\xc2\xad\n\n\n\n\n                                           Page 36\n                        National Archives and Records Administration\n\x0c                                                                                        Appendix B \n\n                                                                                         Page 1 of 4 \n\n\n\n\n\n                   National Archives and Records Administration\n                                                                              .      8601 Ad~iphi Road\n                                                                   College Park, Maryland-~t(f7-40-6001\n\n\nDate:        March 17,2008\n\nTo:          Paul Brachfield (OIG)\n\nFrom:        Martha Morphy (NH)\n\nSubject:    Comments on the OIG Audit Report No. 08-05: Audit ofNARA\'s Compliance with the\n            Federal Information Security Management Act for FY 2007\n\n            We are in receipt of your report and would like to thank you for the opportunity to respond\n            to its [mdings and recommendations. We would particularly like to express our appreciation\n            for the hard work done by your staff and auditors in the preparation ofthe report, the effort\n            has yielded a product which is irformative and which will be of significant value to our\n            security program.\n\n            We concur with all of the recommendations in the report, and will provide a summary\n            response here, with details in the auditaction plan. Otherwise, the findings of the report\n            provide a detailed view of problems which are the subject of more general efforts\n            associated with our plan to remove the external material weakness that was declared in the\n            FY 2007 PAR, and where steps have been taken to address these problems, they will be\n            detailed in our audit action plan.\n\n\n            General Response to Recommendation 1.\n\n\n\n\n           Recommendation 1: Concur\n\n           General Response to Recommendations 2-10\n\n           The report notes that while a number of incidents recorded by NARA\'s IDS systems were\n           not reported to US CERT within specified timeframes, these incidents were all resolved\n           internally and on the basis of standard operating procedures which did not require the\n           convening of the NARA CIRT. We believe that these discrepancies can be addressed.\n           Efforts to revise and perfect the Incident Response Policy and the guidance in the\n           Handbook are ongoing, and will be described in the Audit Action Plan.\n\n           Recommendation 2: Concur\n           Recommendation 3: Concur\n           Recommendation 4: Concur\n           Recommendation 5: Concur\n           Recommendation 6: Concur\n\x0c                                                                             Appendix B \n\n                                                                              Page 2 of 4 \n\n\n\n\n\nRecommendation 7: Concur \n\nRecommendation 8: Concur \n\nRecommendation 9: Concur \n\nRecommendation 10: Concur \n\n\n\nGeneral Response to Recommendations 11-13.\n\nEfforts to address process and documentation limitations of the current Certification and\nAccreditation packages are ongoing as part of the response to the Material Weakness.\nSpecific initiatives which address the recommendations in this section will be detailed in\nthe audit action plan.\n\nRecommendation 11: Concur\nRecommendation 12: Concur\nRecommendation 13: Concur\n\n\nGeneral Response to Recommendation 14.\n\nIn 2006 NARA issued updated versions ofNARA Directive 202 and Directive 804 which\ndearly established the roles and responsibilities necessary to comply with this\nrecommendation.\n\nAt that time NAS and NHI began a review ofthe certification status ofthe SCI systems.\nThat review determined that NARA had consistently andproperly certified the SCI\nsystems on a regular basis, but had not been able to maintain contact with the accrediting\nagency which sponsors those systemsfor the DNI. Resource constraints in the office of\nthe DNI are a reality, and despite efforts to secure accreditation decisions, there are\ncurrently three SCI systems which have been tested and recommendedfor certification,\nbut which have no accreditation decision.\n\nThe DAA will be meeting with NARA program officials to establish actionable dates/or\nthe certification ofthese systems, and those details will be provided in the audit action\nplan..\n\nRecommendation 14: Concur\n\n\nGeneral Response to Recommendations 15-20.\n\nWe concur with the findings and the recommendations. Actions being taken in response to\nthe material weakness and the reportable condition will be reviewed to assure that the\nspecifics of these findings are addressed by those initiatives.\n\nRecommendation 15: Concur\n\x0c                                                                      Appendix B \n\n                                                                       Page 3 of 4 \n\n\n\n\n\nRecommendation 16:    Concur\nRecommendation 17:    Concur\nRecommendation 18:    Concur\nRecommendation 19:    Concur\nRecommendation 20:    Concur\n\n\nGeneral Response to Recommendation 21.\n\nThis will be addressed by the Privacy Officer.\n\n\n\nPlease call -   IJ(~)-- at 301 . . 837--- for any questions regarding this response.\n\n\n\n                    ~i/J~                  .\nM     "     MORP~Y     V .                 .\nAssistant Archivist for Informati   Services\n\x0c                                                                                    Appendix B \n\n                                                                                     Page 4 of 4 \n\n\n\n\n\n                   National Archives and Records Administration\n                                                                                8601 Adelphi Road\n                                                                College Park Maryland _2@7!!.0-6001\n\n\nDate:      March 18,2008\n\nTo:        James Springs, OIG\n\nFrom:      Gary M. Stern, NGC\n\nSubject:   OIG FISMA Audit Report\n\n           The Office of General Counsel (NGC) concurs with privacy related recommendation\n           21, found in the Office of Inspector General\'s FISMA Audit Recommendations.\n\n           Any questions related to this memo can be addressed to Ramona Oliver, NARA Privacy Act\n           Officef.\'\n\n\n\n                  ~\'SiERN1th\n           G eral Counsell\n           S\'enior Agency Official for Privacy\n\x0c'